Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to deploy the ISA Server 2004 Firewall Client program

How to deploy the ISA Server 2004 Firewall Client program

View products that this article applies to.

Summary

You can install the Microsoft Firewall Client program on your client computers by using an unattended command-line installation, by using Group Policy, or both. You have access to these procedures in the mspclnt share where the Firewall Client program files are installed. If you configure the Firewall Client installation to automatically detect the ISA Server computer, you must configure auto discovery on the client computers. You must also configure Microsoft Internet Security and Acceleration Server 2004 to publish auto discovery information.

↑ Back to the top

Introduction

This article describes how to install the Microsoft Internet Security and Acceleration (ISA) Server 2004 Microsoft Firewall Client program on client computers by using a command-line or by using Group Policy.

Modify the Microsoft Firewall Client installation share

By default, when you install ISA Server 2004 the Firewall Client program installation files are stored in the following folder location:
C:\Program Files\Microsoft ISA Server\clients
Note In Microsoft Forefront Threat Management Gateway, Medium Business Edition, the Firewall Client program installation files are stored in the Microsoft Forefront Threat Management Gateway, Medium Business Edition installation CD.

In some scenarios, you may want the Firewall Client program installation files to be located on another computer. To do so, you must perform a custom ISA Server installation. To perform a custom ISA Server installation, follow these steps.

Note You cannot customize the Microsoft Forefront Threat Management Gateway, Medium Business Edition installation to modify the Microsoft Firewall Client installation share. However, you can copy the Firewall Client program installation files from Microsoft Forefront Threat Management Gateway, Medium Business Edition installation CD to another computer. Then, you can distribute the Firewall Client from that computer.
  1. On the computer where you want to store the Firewall Client program installation files, start ISA Server 2004 Setup.
  2. In the Microsoft ISA Server 2004 Installation Wizard, click Next.
  3. Click I accept the terms in the license agreement, and then click Next.
  4. Type your user name and organization in the corresponding boxes, type your product serial number in the Product Serial Number box if applicable, and then click Next.
  5. Click Custom, and then click Next.
  6. Click Firewall Services, click This feature will not be available, click ISA Server Management, click This feature will not be available, click Firewall Client Installation Share, click This feature will be installed on local hard drive, and then click Next.
  7. Click Install, and then click Finish when the installation is completed successfully.

Perform an unattended Firewall Client installation

To install the Firewall Client program from a command line, type the following command:
Path\Setup.exe /v" [SERVER_NAME_OR_IP=NameOfTheIsaServerComputer] [ENABLE_AUTO_DETECT={1 or 0}] [REFRESH_WEB_PROXY={1 or 0}] /qn"
Where:
  • Path is the path of the Firewall Client program installation files, such as:
    \\Servername\mspclnt
  • NameOfTheIsaServerComputer is the name of the ISA Server computer where you want the Firewall client to connect.
  • ENABLE_AUTO_DETECT=1 specifies that the Firewall client automatically detects the ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer to connect to.
  • REFRESH_WEB_PROXY=1 specifies that the Firewall Client program configuration is updated by the Web Proxy configuration from the ISA Server computer or from the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer.
For example, you have a scenario where all the following conditions are true:
  • The Firewall Client installation files are located on a server named Computer1 and are shared by using the default share name.
  • You want to specify an ISA Server computer or a Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer that is named Firewall01.
  • You do not want to use the Web Proxy configuration from the ISA Server computer or from the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer.
In this scenario, to install the Firewall Client program, type the following command from the client computer, and then press ENTER:
\\computer1\mspclnt\setup /v" SERVER_NAME_OR_IP=Firewall01 ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qn"
Note There is no space between /v and the initial double quotation marks ("). Additionally, you must include a space before /qn at the end of the command line.

If you want to configure the Firewall Client program to automatically detect the ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

Install Firewall Client by using Group Policy

To deploy the Firewall Client program by using Group Policy, follow these steps:
  1. Configure the network share for the Firewall Client program installation files. To do this, see the "To modify the Microsoft Firewall Client installation share" section.
  2. Start the Active Directory Users and Computers tool.
  3. Right-click the organizational unit that contains the computers where you want to install the Firewall Client program, and then click Properties.
  4. Click the Group Policy tab, and then click New.
  5. Type a descriptive name for the Group Policy object, and then press ENTER.
  6. If you do not want this policy applied to certain computers, follow these steps:
    1. Click Properties, and then click the Security tab.
    2. Click Add, type the name of the group that contains the computers where you do not want the Firewall Client program installed, and then click Check Names.
    3. When the name is resolved, click OK.
    4. Click the group name that you added, and then click to clear the following two check boxes in the Allow column, and then click OK:
      Read
      Apply Group Policy
  7. Click Edit, expand Computer Configuration, expand Software Settings, right-click Software installation, point to New, and then click Package.
  8. In the File name box, type the Universal Naming Convention (UNC) path of the MS_FWC.msi file, and then click Open. For example, type \\Servername\mspclnt\ms_fwc.msi, and then click Open.

    Note Specify the location of the MS_FWC.msi file by using a UNC path even if this file is stored on the local computer.
  9. Click Assigned, and then click OK.
  10. Quit the Group Policy Object Editor tool, and then click Close.
To configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

Configure auto discovery

To configure the Firewall Client program to automatically detect the ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to configure Firewall Client and Web Proxy client auto discovery in Windows, click the following article numbers to view the articles in the Microsoft Knowledge Base:
309814� How to configure Firewall and Web Proxy client autodiscovery in Windows 2000
252898� How to enable Proxy Autodiscovery in Windows 2000
296591� A description of the Automatic Discovery feature
Additionally, you must configure ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition to provide automatic discovery information to Firewall clients and to Web Proxy clients. To do this, follow these steps:
  1. Start the ISA Server Management tool.
  2. Expand ServerName, where ServerName is the name of your ISA Server computer.
  3. For ISA 2004 or for ISA 2006, expand Configuration, and then click Networks. For Microsoft Forefront Threat Management Gateway, Medium Business Edition, click Networking, and then click Networks in the middle pane.
  4. Right-click the network that you want ISA Server to publish auto discovery information about, and then click Properties. For example, right-click Internal, and then click Properties.
  5. Click the Auto Discovery tab, click to select the Publish automatic discovery information check box, and then click OK.
  6. Click Apply to update the firewall policy, and then click OK.


Troubleshooting

  • You cannot assign a different ISA server or a different Microsoft Forefront Threat Management Gateway, Medium Business Edition server to each organizational unit.

    You cannot assign a different ISA server or a different Microsoft Forefront Threat Management Gateway, Medium Business Edition server to each organizational unit by using the Mspclnt.ini file. This was possible in Microsoft Internet Security and Acceleration Server 2000. If you want to assign a different ISA server to each organization unit, you must create a Group Policy object for that organizational unit that runs the Setup.exe command from the Mspclnt share. Configure the Setup.exe command to specify the ISA server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server where you want the Firewall Client program to connect.

    For additional information about the command-line structure to use, see the "To perform an unattended Firewall Client installation" section.
  • The Firewall Client program does not automatically detect the ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer.

    After you deploy the Firewall Client program, the Firewall Client program may not automatically detect the ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer. This behavior occurs if another service listens on the port that the ISA Server uses to publish auto discovery information. Or, this behavior occurs if another service listens on the port that the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server uses to publish auto discovery information. By default, the ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server publishes auto discovery information on port 80. If another service such as Microsoft Internet Information Services (IIS) is running on the ISA Server computer or on the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer, Firewall clients may not be able to obtain auto discovery information. To troubleshoot this issue, temporarily stop other services that listen on port 80.


↑ Back to the top

References

For additional information about Group Policy in Microsoft Windows 2000, visit the following Microsoft Web site:
http://technet.microsoft.com/library/Bb742376.aspx
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322143� How to administer GPOs in Windows 2000
For additional information about the Firewall Client program, search on "Advanced Firewall Client settings" in ISA Server 2004 Help.

↑ Back to the top

Keywords: KB838122, kbhowto, kbinfo, kbfirewall, kbdeployment, kbhowtomaster

↑ Back to the top

Article Info
Article ID : 838122
Revision : 7
Created on : 9/28/2007
Published on : 9/28/2007
Exists online : False
Views : 529